1. Field of the Invention
The present invention generally relates to a method and system for Internet Protocol network communications and a use thereof for protecting Internet sites against denial of service attacks on insecure public networks such as the Internet.
2. Background
An ever-increasing trend is the use of the Internet Protocol (IP) based Internet as a communications network for business to consumer (B2C), business to business (B2B), and consumer to consumer (C2C) interaction and transactions. There is a constantly evolving gamut of threats encountered with respect to IP networks, particularly the Internet. Although a network is just the communication channel through which information is accessed or flows, the interconnection of systems worldwide through networks, especially the Internet, has become so widespread that it has become a key component of modern military, industrial, government, and private systems. The growing dependence of the various systems on a properly functioning network increases their operational vulnerability through disruption of the network. The gamut of threats to IP network based systems includes techniques to steal information, corrupt or alter information, destroy information, deny use of services or information, gather indicators of future action, and affect the public's view of various issues, including social, political, and even confidence in a country's government. The Internet, in particular, is an insecure public network and presents various weaknesses that can be exploited by criminals or other elements to disrupt the normal communications between parties on the Internet. Some of these weaknesses include vulnerabilities to various types of Denial of Service (DoS) attacks. Recently, such attacks have successfully disrupted commercial services offered by prominent vendors.
Denial of Service (DoS) can be defined as action(s) which prevent any part of an automated information system (AIS) from functioning in accordance with its intended purpose or intentional degradation or blocking of computer or network resources. The Computer Emergency Response Team (CERT) at Carnegie Mellon University divides Denial of Service into three modes of attack with sub categories. CERT notes that a Denial of Service may only be a component of a larger attack. The three modes are classified under consumption of scarce resources, destruction or alteration of configuration information, and consumption of other resources. This invention particularly relates to the category of Consumption of Scarce Resources, specifically the sub categories of Bandwidth Consumption, Network Connectivity, and Consumption of Other Resources.
Denial of Service (DoS) attacks are often done through the use of scripts also called tools. A few examples of such tools are Capi, Back Orifice 2000 (BO2K), Domain Name System Attack, and Internet Control Message Protocol (ICMP) ECHO which is based on the ping-flooding concept. These tools are freely available for download from the Internet.
Distributed Denial of Service (DDoS) is an enhanced version of a Denial of Service attack where the DoS tools are distributed to multiple hosts, which can then be coordinate to anonymously perform an attack on the target host simultaneously, typically after some time delay. Some of the currently known Distributed Denial of Service Tools are: Trinoo, Tribe Flood Network (TFN) and Tribe Flood Net 2K, and Stacheldraht (meaning “barbed wire” in German).
User of the Internet as a communications medium wish to have immunity from Denial of Service attacks that prevent them from using the Internet as they desire. This is particularly true for businesses offering goods or services for sale to consumers. Disruption of this service can be very costly as certain attacks in early February 2000 against major commercial Internet sites demonstrated. Some estimates range as high as $1.2 Billion loss for the several days of attacks.
A commercial site has to widely advertise its Internet address to any potential customers who use this address to connect to the commercial site to browse for information and make purchases. However attackers can use the advertised address to direct Denial of Service attacks against the site.
Unicast IP Packet Routing and Delivery
Traditional Internet protocol (IP) networks rely mostly on the use of unicast protocol (also known as point to point) packet routing and delivery for communications between end stations (for example, a user and a host site). For unicast, a packet is generated and passed into the network by a first end station having the destination address of the second end station as a parameter. This packet is then routed through the network until it is delivered to the end station computer (or is discarded within the network if it times out or a route to the specified address is not found). The destination end station may or may not have been expecting this packet. For example, a ping packet or connection request packet is typically not expected by its recipient. On the other hand, once a connection-oriented communication like TCP/IP (Transmission Control Protocol) has been initiated between the two stations, then each station is in effect expecting packets from the other station and actively accounts for and sends acknowledgements for these packets.
Unicast Packet Routing and Denial of Service Attacks
The important thing to note is that the unicast delivery of packets is based on a “push” system. Packets can be generated and inserted into the network for delivery to an end station. The end station has little or no control to stop or regulate the flow of certain types of these packets, even if they are causing problems i.e. during an active Denial of Service attack. The “push” protocol forms the weakness that is exploited in many Denial of Service and Distributed Denial of Service attacks occurring on the Internet.
A Denial of Service attack can take the form of a storm of packets addressed to the victim host. This storm of packets can completely clog the communications links into the victim system thus effectively denying service to any legitimate users. The attack can also take the form of using up resources on the target computer such as maximum number of TCP connections. Such an attack can consist of creating multiple TCP connections and then leaving them hanging until they time out. This can use up all the available connection slots thereby denying legitimate users any connections.
Multicast Technology
In contrast to unicast protocol, multicast protocol within an IP network uses a “pull” type system. The destination end station must actively request the reception of these multicast packets by “subscribing” to the router network with special subscription request packets (Internet Group Management Protocol or IGMP) for each multicast address of interest. Once a subscription message is received by a given router from an attached end station the router will autonomously communicate within the network of routing devices to receive the multicast packets with the applicable address. There can be multiple recipients of this traffic flow. If a subscription for a particular address is not renewed periodically by the attached host (typically, in the order of 10's of seconds) then the subscription for that particular address will time out and the router network will no longer route packets for delivery to that particular host. Alternately a host can “de-subscribe” from a given multicast address with a special de-subscribe message to the router which has an immediate impact on the delivery of multicast packets. The important difference between multicast and unicast packet delivery is that under multicast, the end computer station has control over the addresses from which it will accept data.
Under the current version of the Internet Protocol (IP Version 4 or IPv4), the addresses assigned for multicast are known as Class D addresses and range from the 224.0.0.0 to 239.255.255.255. The Internet Assigned Numbers Authority (IANA) maintains a list of registered users and assigns new numbers for new uses. The range from 224.0.0.0 to 224.0.0.25 is reserved for permanent assignment for various applications, including use by routing protocols. The set from 239.0.0.0 to 239.255.255.255 is reserved for various administratively scoped applications; much the same way as the 192.168.0.0 address range is assigned for administratively scoped unicast purposes. Under IPv6, the emerging new IP version, it is anticipated that there will be 112 bits of information to designate a multicast group. This is a much expanded address space over the current IPv4 allocation that only has 28 bits for address space.
Multicast Routing Protocols
Routers in a network or internetwork use multicast routing protocols to efficiently route multicast packets through the network or internetwork much the same as they use unicast (point-to-point) routing protocols to efficiently route unicast packets through the network. The multicast protocols are used to deliver multicast packets from the multicast source to multiple destinations that consist of the members of the multicast group.
Unicast routing protocols use one of two basic techniques, either distance vector (e.g. Routing Information Protocol—RIP), or link state (e.g. Open Shortest Path First—OSPF). Multicast routing protocols can be divided into three categories, distance vector (derived from unicast protocols like RIP), link state (derived from protocols like OSPF), and the newer shared-tree protocols. The multicast protocols in use include: the Distance Vector Multicast Routing Protocol (DVMRP) and Protocol Independent—Dense Mode (PIM-DM) based on distance vector, Multicast Open Shortest Path First (MOSPF) based on link state, and Protocol Independent—Sparse Mode (PIM-SM) and Core-Base Tree (CBT) based on shared trees. Each of these protocols has their strengths and weaknesses and is employed on various parts of the Internet.
Normally, in any Autonomous System (or domain) within the Internet, there is only one multicast protocol used. An Autonomous System is defined as a network administered by one entity and operating under one unicast routing protocol. A protocol used only within an Autonomous System is referred to as an interior gateway protocol (IGP). The administrative authority for a given Autonomous System specifies which unicast and multicast protocol is to be used within the Autonomous System. The decision is based on a number of factors including the type of routing equipment used in the Autonomous System, personnel experience with the various protocols, expected number of users and groups, and dispersion of users. There are protocols in place for routing unicast between autonomous systems, known as exterior gateway protocols (EGP). Autonomous Systems within the Internet are linked together by routers that use these unicast EGP that enforce routing policies. One weakness of multicast is the lack of an EGP for routing multicast between Autonomous Systems. There is work underway to define interdomain routing protocols, notably the Border Gateway Multicast Protocol (BGMP).
Tunneling
An IP packet tunneling technique can be used to tunnel multicast packets from one area of the Internet to another area of the Internet through an area that does not support multicast. In this technique, the multicast packets are received by a router or host on one end of a tunnel, encapsulated in a unicast IP packet and sent by normal IP unicast to the router or host at the other end of the tunnel where the packets are de-encapsulated and sent back out into the network as multicast packets. This technique is effective but requires a significant amount of administrative overhead.
Scoping
Scoping of multicast packets refers to methods of limiting the range to which a multicast packet can travel in a network. There are presently two main methods used for scoping multicast packets, administrative and Time To Live (TTL) scoping. Administrative scoping involves using the multicast addresses on packets in the address space from 239.0.0.0 to 239.255.255.255. Multicast packets in this range do not cross administrative boundaries. Since multicast addresses are assigned locally within the Autonomous System they need not be unique between areas thus allowing for reuse of address space. TTL scoping refers to placing a low value in the TTL field of a packet when it is initially created. Every IP packet has a data field of one byte that defines a time to live for the packet. Every time the packet crosses a router or similar device or is held in a queue for 30 seconds, the TTL field is decremented. If the TTL reaches zero before the packet reaches its ultimate destination the packet is discarded wherever it is when the TTL reaches zero. Placing a low initial value within the TTL of the packet limits the range to which it can travel.
Multicast Address Allocation
Currently there are very few permanently allocated multicast addresses. Multicast applications are quite free to choose nearly any multicast address for their use. There is a danger of address collision with other applications, so applications must be designed to detect and handle erroneous packets from other applications using the same multicast address. There are methods currently being researched to prevent this problem by providing dynamic multicast address allocation. The current research has defined a three level allocation hierarchy. Within an Allocation Domain, the lower level multicast applications running on hosts use a Multicast Dynamic Host Control Protocol (MDHCP) (based on the Dynamic Host Control Protocol) to request multicast addresses from the next level Multicast Address Allocation Servers (MAAS). An Allocation Domain normally coincides with the boundaries of the Autonomous System in which it is located. The MAAS's claim multicast addresses allocated through the use of the multicast Address Allocation Protocol (AAP). Certain nodes within the Autonomous System, usually routers, use the Multicast Address Set Claim (MASC) protocol to claim multicast address sets which they allocate to the MAAS's through the AAP. This architecture is experimental and no devices are known that currently support this architecture.
Router Interfaces
Routers are complex devices designed to efficiently receive and transmit data packets across multiple physical communication channels. These channels can include Ethernet, token ring, serial lines, ATM links, or Frame relay, all with varying characteristics and set up requirements. These channels are normally physically connected to the routers on what are called interfaces. The routers run various protocols that determine how they will receive, process, and transmit packets. These protocols can include the unicast routing protocols such as RIP or OSPF, and the multicast protocols such as DVMRP or MOSPF. Normally routers communicate between each other to exchange status and routing information in order to optimize delivery of packets. This data exchange can include advertising routes the router is aware of to reach an end destination.
Router Limitations
There are some physical implementation limitations in routers depending on the manufacturer and the model. For example in the Cisco 3600 series of routers, there is a maximum of 7000 entries allowed by default in the multicast routing table. Configuring the router can change this parameter.
Thus, in the Internet Protocol network, having a publicly available communications address is problematic as undesirable third parties may launch an attack, overwhelming the particular address or monitor the address for information not intended for the third party.
Transmitting IP packets to an IP address is somewhat akin to transmitting a signal at a particular frequency. A third party to the communication can monitor the frequency to eavesdrop on the communication or attempt to overwhelm or jam the frequency with a jamming signal. In the radio communications field, a technique known as spread spectrum communications employs a frequency hopping system where a transmitting station transmits bursts of data sequentially on a prearranged set of channels in a predetermined random pattern at specific times. The receiving station listens to the appropriate channels at the appropriate time in order to receive the communications. Frequencies can be shared among many users, as there can be many groups all hopping around in the frequency channels in a coordinated fashion. Spread spectrum techniques permit secure communications, reducing information gathering and denial of communications abilities. However such techniques require coordinated efforts between transmitting and receiving parties.
Thus, it is desirable for end stations to be able to communicate in an IP network having the limitations described herein, particularly where the address for communication is publicly known, having a method or system to alleviate most or all of the effects of certain types of Denial of Service attacks or information gathering.